Computing Discrete Logarithms in \({\mathbb F}_{{p}^{6}}\)

Abstract

The security of torus-based and pairing-based cryptography relies on the difficulty of computing discrete logarithms in small degree extensions of finite fields of large characteristic. It has already been shown that for degrees 2 and 3, the discrete logarithm problem is not as hard as once thought. We address the question of degree 6 and aim at providing real-life timings for such problems. We report on a record DL computation in a 132-bit subgroup of \({\mathbb F}_{{p}^{6}}\) for a 22-decimal digit prime, with \(p^6\) having 422 bits. The previous record was for a 79-bit subgroup in a 240-bit field. We used NFS-DL with a sieving phase over degree 2 polynomials, instead of the more classical degree 1 case. We show how to improve many parts of the NFS-DL algorithm to reach this target.

Experiments presented in this paper were carried out using the Grid’5000 testbed, supported by a scientific interest group hosted by Inria and including CNRS, RENATER and several Universities as well as other organizations (see https://www.grid5000.fr).

1 Introduction

Since the 1970s and the first key-exchange protocol, the security of the vast majority of asymmetric cryptosystems has relied on the hardness of two main number theory problems: the factorization of large integers and the computation of discrete logarithms. Given a finite cyclic group \((G, \cdot )\) of order \(\ell \), a generator g of this group, and an element \(a \in G\), the goal of the discrete logarithm problem (DLP) is to solve \(g^x=a\) for \(x \in {\mathbb Z}/ \ell {\mathbb Z}\). In this paper, we focus on discrete logarithms in finite fields of the form \({\mathbb F}_{p^6}\), where p is a prime. This corresponds to the medium characteristic situation studied in [30]. Breaking discrete logarithms in such a field can affect torus-based cryptography [34, 43] (XTR and its generalization CEILIDH) and pairing-based [16] cryptography.

1.1 XTR and Torus-Based Cryptography

The XTR setting considers the cyclotomic subgroup of a small degree extension \({\mathbb F}_{p^2}\) or \({\mathbb F}_{p^6}\). It was generalized to higher extensions, and led to torus-based cryptography. When these settings were proposed in 2000, computing a discrete logarithm in a non-prime field was supposed to be much harder than in a prime field. The cost is usually given in terms of the L-notation: \(L_{p^n}[\alpha , c] = \exp \left( (c + o(1)) \log (p^n)^{\alpha } \log \log (p^n)^{1-\alpha }\right) \). In 2005, Granger and Vercauteren estimated the cost of computing discrete logarithms in the torus of \({\mathbb F}_{p^6}\) to be in \(L_{p^n}[1/2]\) rather than in \(L_{p}[1/3]\) for prime fields [21]. One year later, in 2006, an \(L_{p^n}[1/3, c=2.43]\) variant of NFS was proposed [30]. Since then, the constant c was improved from 2.43 to 2.21 (see [5]) and now 1.93 (1.74 in favorable case) with the so-called exTNFS [32] in the specific case of composite extension degree n (e.g. \(n=6\)). Multiple-field variants (MNFS) could allow to reduce even further the constant c.

The record computation of a discrete logarithm in a field \({\mathbb F}_{p^6}\) is held by Zajac for a 240-bit field [49], done in less than 38 days on a single 2 GHz computer. The relation collection was realized in about 24 days with a generalized line sieve algorithm: this was clearly the dominating part. The recent records are focused on improving this costly relation collection: the same numerical example of [49] was done again with a dedicated algorithm for dimension three, in about the same timing by Hayasaka et al. [27] and in less than one day by Gaudry et al. [18]. They also performed a relation collection for a 389-bit field in less than 800 days. One part of our experimental data finishes their work: we describe the linear algebra and one individual logarithm computation in Sect. 5.

1.2 Pairing-Friendly Curves of Small Embedding Degree

The Weil and Tate pairings on elliptic curves were proposed as a constructive building block in asymmetric cryptography in 2000 for key exchange [28], short digital signatures [10] and identity-based encryption [9, 31]. A pairing is a map \(e: {\mathbb {G}}_1 \times {\mathbb {G}}_2 \rightarrow {\mathbb {G}}_T\) where the three groups are of large prime order \(\ell \), \({\mathbb {G}}_1\) and \({\mathbb {G}}_2\) are two distincts subgroups (of same order) of a pairing-friendly elliptic curve, and \({\mathbb {G}}_T\), the target group, is a multiplicative subgroup of a finite field.

To ensure a good level of security for a pairing-friendly curve, one needs to estimate the complexity of computing a discrete logarithm in the prime order subgroup \(E({\mathbb F}_q)[\ell ]\) of the curve on the one hand, and in the multiplicative subgroup of order \(\ell \) of the embedding field \({\mathbb F}_{q^k}={\mathbb F}_{p^n}\) on the other hand (and when q is a prime power, make sure that the embedding field is not actually a strict subfield of \({\mathbb F}_{q^k}\)). The state of the art for the former is \(O(\sqrt{\ell })\). For the latter, the quasi-polynomial-time, Function Field Sieve or Number Field Sieve algorithms apply, each to a certain type of fields.

A degree six extension field \({\mathbb F}_{p^6}\) is used in XTR and the cyclotomic subgroup of order \(p^2-p+1\) is considered. It is also the field where a pairing takes its values, the elliptic curve being supersingular, defined over \({\mathbb F}_{p^2}\) and of order \(p^2-p+1\). The hardness of a discrete logarithm computation on the curve, of prime order subgroup \(\ell \), has exponential growth \(O(\sqrt{\ell })\), compared to subexponential growth \(L_{p^6}[1/3, c]\) in the target field \({\mathbb F}_{p^6}\). For this reason, for p above some threshold, the weakness against a discrete logarithm computation attack switches from the curve to the finite field. Since \(\ell \approx p^2-p+1\) by construction, the complexity is actually in O(p). For the size we target: p of 71 bits and \(\ell \) of 132 bits, the computation will be already much faster in \({\mathbb F}_{p^6}\).

This is the contrary for an MNT curve (introduced by Miyaji et al. in 2001 [39]). An MNT curve is defined over a prime field \({\mathbb F}_p\) and has prime order \(\ell \), hence a complexity in \(O(\sqrt{\ell }) \sim O(\sqrt{p})\). This is easier than a computation in \({\mathbb F}_{p^6}\) for a 422-bit finite field. Because of the small size of our experiment, we expect the threshold for an MNT curve to be significantly larger than the prime p that is targeted in this work. We decided to focus on supersingular curves of order \(p^2-p+1\) in this paper.

Supersingular Curves. The supersingular curves are equipped with an easy-to-compute distortion map \(\phi : E({\mathbb F}_{q^k}) \rightarrow E({\mathbb F}_{q^k})\). It can be turned into an isomorphism \(\phi :{\mathbb {G}}_1 \rightarrow {\mathbb {G}}_2\), which is not available for ordinary curves. Many pairing-based cryptosystems can now be re-stated with an asymmetric pairing [35], where there is no straightforward isomorphism \({\mathbb {G}}_1 \rightarrow {\mathbb {G}}_2\). However in certain cases this is not possible, so that efficient symmetric pairings are still desired. The earliest “fast” symmetric pairings are now completely broken since they used supersingular curves over fields of characteristic 2 or 3: the target group is then a subgroup of \({\mathbb F}_{2^{4n}}\) or \({\mathbb F}_{3^{6m}}\), and the quasi-polynomial-time algorithm [6] is particularly devastating [1, 20]. Since this algorithm does not apply to large characteristic, three constructions of supersingular curves survived. The first two are defined over a (large) prime field \({\mathbb F}_p\), and their embedding field is \({\mathbb F}_{p^2}\). The computation of a discrete logarithm in \({\mathbb F}_{p^2}\) was studied in [5]. The third construction uses supersingular curves defined over a quadratic field \({\mathbb F}_{p^2}\), of embedding degree 3, their embedding field being \({\mathbb F}_{p^6}\). This is the practical application of our discrete logarithm computation. An efficient Ate pairing computation on these curves was proposed in [12], and is competitive compared to supersingular curves of embedding degree 2. Numerical examples are provided in Sect. 5.

Our Contributions. To attack the DLP over \({\mathbb F}_{{p}^{6}}\), we needed to improve several parts of NFS. A key ingredient to our computation is the use of sieving in dimension 3, which follows [18] and is explained in Sect. 2, as opposed to traditional sieving in dimension 2 (that is, “(a, b) pairs” encoding \(a-bx\) become “\((a_0,a_1,a_2)\) triples” encoding \(a_0+a_1x+a_2x^2\)). To lower the impact of using ideals of degree 2, we were able to use nice families of cyclic degree 6 extensions, in which these ideals have a virtual logarithm equal to zero, see Sect. 3. Last, the individual logarithm computation had to be optimized: we were able to decrease the initial sizes of the boots needed, and we used a descent in dimension three in Sect. 2.5.

Our article is organized as follows. Section 2 contains a succinct description of NFS-DL and insists on the algebraic part, some of which is reused in Sect. 3 that justifies our choice of degree 6 cyclic extensions to solve the problem. Section 4 builds on this and explains the selection of polynomials. Section 5 contains a list of discrete logarithm computations we were able to perform.

2 A Crash Course on NFS-DL

We start with an overview of NFS-DL, and then give technical details on the actual algebraic factorization of ideals in number fields, relevant to our computation.

Our goal is to compute discrete logarithms in the order \(\ell \) subgroup of \({\mathbb F}_{{p}^{n}}^*\), where \(\ell \) is a prime divisor of \(\varPhi _n(p)\), coprime to \(\varPhi _c(p)\) for all \(c\mathrel |n\). (This assumption matches the definition of embedding field of the pairing, mentioned in Sect. 1.2.)

2.1 Overview

The first step is the polynomial selection phase, where we find two irreducible (over \({\mathbb Q}\)) polynomials \(f_0\) and \(f_1\) with integer coefficients, and such that \(\varphi = \gcd (f_0, f_1) \bmod p\) is a degree n irreducible polynomial. We build \({\mathbb F}_{{p}^{n}}\) as \({\mathbb F}_{p}[X]/(\varphi )\) (Fig. 1).

Fig. 1.

The NFS diagram to compute discrete logarithms in \({\mathbb F}_{{p}^{n}}^*\).

We write \(K_i = {\mathbb Q}(\alpha _i)\) for some root \(\alpha _i\) of \(f_i\) for \(i \in \{0, 1\}\). In the relation collection phase, we look for polynomials of degree \(t-1\), say \(A(x) = a_0 + a_1 x + \cdots + a_{t-1} x^{t-1}\), with integer coefficients, so that the integral pseudonorm

$${{\mathrm{Res}}}_x(f_i(x), A(x))$$

factors over a factor basis \(\mathcal {B}_i\subset {\mathbb Z}\) (for \(i \in \{0, 1\}\)). If this is achieved, then the algebraic numbers \(A(\alpha _0)\) and \(A(\alpha _1)\) factor as a product of prime ideals above prime elements in their factor bases. Applying reduction from \(K_i\) to \({\mathbb F}_{{p}^{n}}\), we get an additive relation between virtual logarithms of elements in the factor bases.

Once enough relations are collected, the linear algebra step aims to solve the relevant system and get the virtual logarithms of the primes.

In a last step, and perhaps the most significant from a cryptanalytic point of view, we compute individual logarithms using a method called descent. It should be remarked that this last step validates all the preceding computations.

2.2 Relation Collection

The relation collection examines a subset \(\mathcal {S}\) of the whole set of polynomials A(x) of degree \(t-1\). The subset \(\mathcal {S}\) is called the search space and is made of the polynomials A(x) of bounded coefficients. This search space is chosen so as to contain sufficiently many polynomials A to get a complete set of relations, that is, more than \(\#(\mathcal {B}_0 \cup \mathcal {B}_1)\). A way to estimate the relations yield for a given \(\mathcal {S}\) is to use the Murphy-E quantity [18, 40].

The cost of factoring of the integral pseudonorms and testing if the factors are in the corresponding factor basis for each polynomial A on both sides is prohibitive. This is why we use sieving algorithms to partially factor the integral pseudonorm of all the polynomials in \(\mathcal {S}\), in order to detect promising candidates that have a good chance to have a complete factorization involving only elements of the factor basis. Sieving algorithms have a major drawback: their memory consumption is proportional to the size of \(\mathcal {S}\). All modern record computations of discrete logarithms in finite fields required \(\mathcal {S}\) to be far too large to fit in memory (the 596-bit record of [11] needed more than \(2^{60}\) elements, and [17] needed \(2^{61.5}\)).

To palliate these drawbacks, Pollard [42] suggested to divide the search space into many subsets of \(\mathcal {S}\) using the special-\(\mathfrak q\)-method: all the elements A of a subset share the property that the factorization of \(A(\alpha _0)\) (or resp. \(A(\alpha _1)\)) involves the ideal \(\mathfrak q\), if the special-\(\mathfrak q\) is forced on side 0 (resp. 1). If the special-\(\mathfrak q\)s are large enough, there is a small number of duplicated elements in the different subsets. The number of elements per subset, called sieving region, is adapted to fit into memory (typically \(2^{31}\) elements per special-\(\mathfrak q\)) and the sieve algorithm in each subset can be processed independently. The special-\(\mathfrak q\)-method was extended to polynomials of any degree by Hayasaka et al. [26]. Enumerating the elements inside a special-\(\mathfrak q\)-subset can be performed using the algorithms proposed in [18, 27]: we used in our practical computations an implementation of the three types of sieve described in [18]. The implementation is available in CADO-NFS [48].

2.3 Algebraic Factorization

Let \(f(x) = c_d x^d + \cdots + c_0\), and denote by K the associated number field \(K = {\mathbb Q}[X]/(f(X)) = {\mathbb Q}(\alpha )\) and \(O_K\) its ring of integers (maximal order). We wish to factor the principal ideal \(\langle A(\alpha )\rangle = A(\alpha ) O_K\) where \(A(x) = a_0 + \cdots + a_{t-1} x^{t-1}\) into prime ideals. To overcome the problem that this ideal might be fractional (non integral), it is customary to consider the ideal \(\langle J_f^{\deg A} A(x)\rangle \) instead, where

$$J_f = \langle 1,\alpha \rangle ^{-1}=\langle c_d, c_d \alpha + c_{d-1}, \ldots , c_d \alpha ^{d-1} + c_{d-1} \alpha ^{d-2} + \cdots + c_1\rangle $$

(see [15, Sect. 9]). Then \(\langle J_f^{\deg A} A(\alpha )\rangle \) is an integral ideal, which factors as

$$\begin{aligned} \langle J_f^{\deg A} A(\alpha )\rangle = \prod _{i} \mathfrak {q}_i^{u_i} \end{aligned}$$

(1)

for integers \(u_i\) and prime ideals \(\mathfrak {q}_i\) (over some finite range for the index i).

Computing the valuations in (1) might require some careful work for a few \(\mathfrak q\)’s, as detailed in [13, Chaps. 4 and 6]. We start from the factorization of the norm

$$\mathcal {R} = {{\mathrm{Res}}}_x(A(x), f(x)) = \prod _{j} q_j^{v_j}$$

where \(q_j\) is a rational prime which is the norm of one or several of the \(\mathfrak {q}_i\)’s. \(\mathcal {R}\) is precisely the norm of the integral ideal \(\langle J_f^{\deg A} A(\alpha )\rangle \). In great generality, we have a direct relation between \(q_j\) and only one \( \mathfrak {q}_i\), but in a few cases, telling apart which of the \(\mathfrak {q}\) appear above a given q is not straightforward. Computer algebra software such as Magma or PARI/GP comes to help. Fortunately, only finitely many of these non straightforward cases may exist, so that some precomputation ahead of time is possible, and useful.

Since the first task is to compute the factorization of the norm, the factor basis is first and foremost the set of rational primes q for which \(f(x) \bmod q\) has roots. While enumerating this set, some exceptional (yet non exclusive) events can be detected: when \(q \mid c_d\), we have a projective ideal; when q divides \({{\mathrm{disc}}}(f)\) to some high power, or when f has multiple roots mod q we have a bad ideal. A nice degree 1 ideal is simply \(\langle q, \alpha - r\rangle \) where r is a simple root of \(f(X) \bmod q\), in such a way that the ideal is completely characterized by (q, r). On the contrary, a bad ideal cannot be so simply described; to differentiate these ideals, limited lifting in the q-adic field \({\mathbb Q}_q\) is useful.

Post-sieving and Schirokauer Maps. For this experiment, valuations at prime ideals were computed with Magma. The rest of the computation, namely all the filtering and linear algebra, was done with CADO-NFS. The final computation of individual logarithms requires some care, since higher dimensional sieving is used again.

Schirokauer maps are defined as follows. We assume that \(\ell \) does not ramify in K, and let \(m_i\) be the inertia degrees of prime ideals above \(\ell \). We let \(\epsilon ={\text {lcm}}(\{\ell ^{m_i}-1\})\). Let \(\mathcal {T}\) denote the set of number field elements with zero valuation at all prime ideals above \(\ell \). Let \(a=A(\alpha )\in \mathcal {T}\). The \(\ell \)-adic expansion of \(a^\epsilon -1\) writes as \(\ell L(a)(\alpha )+O(\ell ^2)\), with \(L(a)\in {\mathbb Z}/\ell {\mathbb Z}[x]\) and \(\deg L(a)<n\). We let the Schirokauer maps be the r-coordinate vector \(\varLambda (a)\) formed by coefficients of degree \(n-r\) to \(n-1\) of L(a), where r is the unit rank of K. The map \(\varLambda \) is a homomorphism from \((\mathcal {T}/\mathcal {T}^\ell ,\times )\) to \((({\mathbb Z}/\ell {\mathbb Z})^r,+)\). We conjecture, following [46], that its restriction to units is surjective. In fact, fairly little is canonical with L (and hence with \(\varLambda \)), as it depends on the choice of the generating element \(\alpha \). We do however note, as it plays an important role in this paper, that the constant coefficient of L(a) is special: if \(\mathrm {deg}(L(a)) = 0\), so is \(\mathrm {deg}(L(a^\sigma ))\) for any field automorphism \(\sigma \) (this also extends to subfields).¹

Virtual logarithms of the r coordinates of the Schirokauer map vector \(\varLambda \) are denoted by \(({{\mathrm{vlog}}}( SM _i))_{1\le i\le r}\), or \(({{\mathrm{vlog}}}( SM _{s,i}))_{1\le i\le r}\) when emphasis on the side \(s\in \{0,1\}\) is desired.

Numbering Ideals in a Sensible Way. In CADO-NFS, the output of the sieve is a list of rational primes dividing the norm of some \(\langle J_f^{\deg A} A(\alpha )\rangle \). Let q be one such prime. Most often, prime ideals above q are written as \(\mathfrak {q}=\langle q,\alpha -r\rangle \), for r a root of \(f\bmod q\). The ideal \(\mathfrak {q}\) contributes to the factorization of \(\langle J_f^{\deg A} A(\alpha )\rangle \) if \(A(r)=0\mod q\). If A and f have several roots in common modulo q, extra work is needed to separate the contribution of the ideals. Extra work is also needed for the exceptional cases of prime ideals whose two-element form can only be written as \(\langle q, q_0 + q_1 \alpha + \cdots + q_{d-1} \alpha ^{d-1}\rangle \). To ensure consistent numbering, we keep a conversion table from prime ideals to column indices in the relation matrix.

2.4 Linear Algebra

Once all valuations are computed, we get relations

$$(\deg A) {{\mathrm{vlog}}}(J_{f_0}) + \sum _{\mathfrak {q}_{0} \in \mathcal {B}_0} u_{\mathfrak {q}_{0}} {{\mathrm{vlog}}}(\mathfrak {q}_{0}) + \sum _{i=1}^{r} {{\mathrm{vlog}}}( SM _{0, i}) $$

$$\equiv (\deg A) {{\mathrm{vlog}}}(J_{f_1}) + \sum _{\mathfrak {q}_{1} \in \mathcal {B}_1} u_{\mathfrak {q}_{1}} {{\mathrm{vlog}}}(\mathfrak {q}_{1}) + \sum _{i=1}^{r} {{\mathrm{vlog}}}( SM _{1, i}) \bmod \ell $$

in which the virtual logarithms are the unknowns.

A large matrix is built, each row corresponding to a relation and each column to a prime ideal, or the ideals \(J_{f_0}\) and \(J_{f_1}\), or Schirokauer maps. Then, we enter the classical process of filtering, whose aim is to reduce the size of the matrix via elementary operations on rows and columns. Once a smaller (but still sparse) matrix is obtained, we used the distributed Block Wiedemann implementation from CADO-NFS to find the kernel of the matrix. Reconstructing all logarithms from the kernel is done using Magma.

2.5 Computing Individual Logarithms

To complete our work, we compute individual discrete logarithms of random-looking targets generated from the decimals of \(\pi \). A target is an element of \({\mathbb F}_{p^6}\), and when it is an output of a pairing (see Sect. 1.2) or of XTR (Sect. 1.1), we firstly apply the isomorphism to the target to get our target in \({\mathbb F}_{p}[x]/(\varphi (x))\), that is, the degree 6 extension \({\mathbb F}_{p^6}\) is defined by \(\varphi (x)\) given by the polynomial selection. Computing this isomorphism has insignificant computational cost.

Initial Splitting Step ( a.k.a. smoothing or boot). The first step is initial splitting and we refer to [24, 25] for a complete description. Given a target \(T_0 \in {\mathbb F}_{p}[x]/(\varphi (x))\), the strategy is to randomize it as \(g^iT_0\) where g is the generator of the order-\(\ell \) subgroup of \({\mathbb F}_{p^6}\), and try many exponents \(i \in [1,\ldots ,\ell -1]\) until the resultant of \(f_0\) and a preimage of \(g^iT_0\) in \({\mathbb Z}[x]\), is \(B_{{{\mathrm{init}}}}\)-smooth. Details are provided in Sect. 5.1.

Decreasing the Norms: Descent. The initial splitting step outputs a degree 2 polynomial \(T = b_0+b_1x+b_2x^2\) whose resultant with \(f_0\) is \(B_{{{\mathrm{init}}}}\)-smooth, that is \({{\mathrm{Res}}}_x(f_0,T) = \prod q_i^{e_i}\), where the \(q_i\) are prime numbers smaller than \(B_{{{\mathrm{init}}}}\). Each \(q_i\) is treated as a special-\(\mathfrak q\) and a sieving step in dimension 3 for the largest \(q_i\) is performed as in Sect. 2.2.

This forms a descent tree, where each node is a large prime, for which a relation involving only smaller primes is sought with a special-\(\mathfrak q\) search. The smaller primes obtained in the relation form the children of the node.

Lemma 1

([30, Lemma 2]). Let \(K = {\mathbb {Q}}[\theta ]\) and \((a_0,\ldots ,a_{t-1})\) a t-tuple of coprime integers, then any prime ideal \(\mathfrak p\) that divides \(\sum _{i=0}^{t-1}a_i\theta ^i\) either divides the index \(f_\theta = [{\mathcal O}_K:{\mathbb Z}[\theta ]]\) or is of degree \(< t\).

In the relation collection, the degree of the polynomial A(x) that gives a relation is fixed to \(t-1\), which is usually 1 for prime fields, and 2 in our case. We have more freedom during the descent step: the degree can be different, typically larger than \(t-1\). Higher degree sieving for the descent was already analyzed in [17, Sect. 5.4] for prime fields, but it did not provide a notable practical advantage. In our present case, we do need to perform the descent phase with polynomials of degree at least 2. Further details are given in Sect. 5.

Final Recombination. When the factor basis is reached, that is we have a complete set of relations that starts from \(g^iT_0\) and finally is expressed in terms of ideals of small norm and known virtual discrete logarithm, then we recombine everything to obtain \(\log (g^i T_0)\), and eventually \(\log _g T_0\).

3 Cyclic Extensions in Degree 6

Cyclic extensions improve both relation collection and linear algebra, as already remarked in [30, Sect. 4.3]. The article [4] compiles many results and properties of virtual logarithms of elements in Galois extensions, including cases where logarithms of units vanish. In the same spirit, we add Lemma 2 and Theorem 1. The most striking result is that ideals of degree 2 have virtual logarithm equal to zero. This eases the linear algebra step in a minor way, but is still good to have.

3.1 A Cyclic Degree 6 Family

For convenience, we use the cyclic family of polynomials of degree six given in [22], parameterized by s:

$$C_s(x) = x^6 - 2sx^5 - (5s + 15)x^4 - 20x^3 + 5sx^2 + (2s + 6)x + 1.$$

Since \(C_{-(s+3)}(x) = x^6 C_{s}(1/x)\), we only consider \(s>0\). We compute

$${{\mathrm{disc}}}(C_s) = 2^6\cdot 3^6 (s^2 + 3 s + 9)^5.$$

For \(s \not \in \{0, 5\}\), \(C_s\) is irreducible, has 6 real roots and is equipped with a degree 6 cyclic automorphism \(\sigma : x \mapsto -(2x+1)/(x-1)\). We note that \(\sigma ^2(x)= -(x+1)/x\) is of order 3, and \(\sigma ^3(x) = -(x+2)/(2x+1)\) is of order 2. The number field \(K = {\mathbb Q}[x]/(C_s(x))\) has a quadratic subfield \(K^+\) defined by the polynomial \(h_s(y)= y^2 - 2sy - 3s-9\). Over \(K^+\), \(C_s\) splits as \((x^3 - yx^2 - (y+3)x - 1)(x^3 - \bar{y}x^2 - (\bar{y}+3)x - 1)\) where \(\bar{y}\) is the conjugate of y in \(K^+\). Generically, one has:

$$\begin{array}{c} {{\mathrm{N}}}_{K/{\mathbb {Q}}}(x-1) = {{\mathrm{N}}}_{K/{\mathbb {Q}}}(2x+1) = {{\mathrm{N}}}_{K/{\mathbb {Q}}}(x+2) = -3^3\\ {{\mathrm{N}}}_{K/{\mathbb {Q}}}(x) = {{\mathrm{N}}}_{K/{\mathbb {Q}}}(x+1) = 1. \end{array}$$

3.2 Cancellations of Virtual Logarithms

When we use NFS-DL with both polynomials from the family \(C_s(x)\), we observe the following consequence of \(C_s(x)\) having six real roots.

Lemma 2

For all principal ideals of \(O_K\), there exists a generator \(\gamma \) with Schirokauer maps \(\varLambda (\gamma )=0\). Furthermore, if the defining polynomial of K splits completely in \(\mathbb {R}\), then for any automorphism \(\sigma \) of K, we have \(\varLambda (\gamma ^\sigma )=0\).

Proof

By the assumption that \(\varLambda \) is surjective on the units, we may find \(\gamma \) with \(\varLambda (\gamma )=0\). Since the defining polynomial splits completely in \(\mathcal {R}\), the unit rank is \([K:{\mathbb {Q}}]-1\). Hence \(\varLambda (a)\) captures all but the first coordinates of L(a), following the notations used in Sect. 2.3. Then \(\varLambda (\gamma )=0\) implies that \(L(a)(\alpha )\) is a rational number, which is Galois invariant.

A consequence of this lemma is that virtual logarithms are very constrained.

Theorem 1

Let p, \(\ell \), and the degree n be as in Sect. 2. Let K be a cyclic number field of degree n, whose defining polynomial splits completely in \(\mathbb {R}\). Assume that \(\ell \) is coprime to \(\#{\text {Cl}}({\mathcal O}_K)\) as well as \(p^c-1\) for all proper divisors c of n. If \(\mathfrak {q}\) is a prime ideal of \(O_K\) that has less than n distinct Galois conjugates (in particular, if its inertia degree is greater than 1, or if it is ramified), then \({{\mathrm{vlog}}}(\mathfrak {q})\equiv 0 \mod \ell \).

Proof

The virtual logarithm of \(\mathfrak {q}\) is unequivocally defined as \(h^{-1}\log _{\mathbb {F}_{p^n}}\gamma \), where \(h=\#{\text {Cl}}({\mathcal O}_K)\) is the class number of K, and \(\gamma \) is a generator of \(\mathfrak {q}^h\) as in Lemma 2. Let \(\sigma \) be the Frobenius automorphism of p (i.e. such that \(\alpha ^\sigma -\alpha ^p\in pO_K\)). Let \(c<n\) be the number of distinct conjugate prime ideals of \(\mathfrak {q}\). Because \({{\mathrm{Gal}}}(K/{\mathbb {Q}})\) is cyclic and p is inert, we have that \(\tau =\sigma ^c\) is such that \(\tau (\mathfrak {q})=\mathfrak {q}\) (i.e. \(\tau \) is in the decomposition group of \(\mathfrak {q}\)). Per Lemma 2, we have \(\varLambda (\gamma ^\tau )=0\), so that \(\log _{\mathbb {F}_{p^n}}(\gamma ^\tau )=p^c\log _{\mathbb {F}_{p^n}}\gamma \), whence \((p^c-1){{\mathrm{vlog}}}\mathfrak {q}=0\). Given that c is a proper divisor of n and \(\ell \) is coprime to \(p^c-1\), this concludes the proof.

4 Polynomial Selection for \({\mathbb F}_{{p}^{6}}\)

The polynomial selection is the first step of the NFS algorithm and its variants. Many methods were proposed in the last few years, and we can partition them in three types:

1. 1.

   methods that define two number fields over a base field (originally \({\mathbb {Q}}\)). These are (in historical order) base-m, Joux–Lercier (JL), JL–Smart–Vercauteren \(\text {JLSV}_{\text {0}}\), \(\text {JLSV}_{\text {1}}\), \(\text {JLSV}_{\text {2}}\), generalized JL (GJL), Conjugation, and Sarkar–Singh [5, 19, 29, 30, 36, 45];

2. 2.

   methods to exploit the structure of the subfields: TNFS and exTNFS, which require an adaptation of one of the above methods since the base field is no longer \({\mathbb {Q}}\) [7, 32, 33, 44, 47];

3. 3.

   multiple-field variants that can apply to any of the previous methods [2, 41] (the prequels being [14] for factorization and [37] for prime fields).

Using an exTNFS variant for \({\mathbb F}_{p^6}\) would mean first to define a quadratic, resp. cubic number field as a base field, before running one of the type 1 polynomial selection methods, as if it were for \(n=3\), resp. \(n=2\). Because of this structure, an efficient sieve in dimension 4, resp. 6 would be required². In this paper we first investigate a sieve in dimension three without a tower structure for now. This is a mandatory step before being able to run an efficient sieve in dimension four, and then implement exTNFS for the first time in \({\mathbb F}_{p^6}\). We will compare the following polynomial selections, with a sieve in dimension 2 or 3: JLSV\(_{1}\) [30], conjugation [5], (GJL) [5, 36], and Sarkar–Singh [45] which is a combination of Conjugation and GJL that exploits the decomposition of n as \(2\times 3\) of \(3 \times 2\) without needing a tower extension.

4.1 First Comparison of Polynomial Selection Methods

To choose the best method, we first compare the average size of the norms in the sieving phase. We wrote a prototype of polynomial selection in Magma, whose aim is first to select polynomials with smallest possible coefficients, without trying to improve the smoothness properties of the polynomials. Then with these polynomials, we compute the average of the pseudonorms of elements \(a_0 + a_1x\) for dimension two, and \(a_0 + a_1x + a_2 x^2\) for dimension three. We denote by S the size of the search space \(\mathcal {S}\), that is, \(S = \# \mathcal {S}\). For a sieving dimension t, \(\mathcal {S}\) is defined by the inequalities \(-E\le a_i\le E\) for \(0\le i<t-1\), and \(0<a_{t-1}\le E\), so that \(2S\approx (2E)^t\). To get a rough idea of the largest norm, we set the \(a_i=E\approx (2S)^{1/t}/2\), where \(S=L_Q[1/3,c+o(1)]\). To be more precise, we fix the o(1) in the formula for S such that it matches the previous relation collection record of 389 bits in \({\mathbb F}_{p^6}\) of [18] and set \(\log _2 S = 53\) for \(\log _2 p^6 = 389\) bits. Our estimates are presented in Fig. 2. Clearly, the \(\text {JLSV}_{\text {1}}\), Sarkar–Singh with \((\deg f_0,\deg f_1) = (8,6)\), and GJL methods with a dimension 3 sieving provide much smaller norms than the conjugation method, which would be competitive with a dimension 4 sieving, that is not yet available. We continued our comparison between GJL, Sarkar–Singh (8, 6) and \(\text {JLSV}_{\text {1}}\) methods.

Fig. 2.

Estimation of the sizes of the norms.

4.2 Refined Comparison of Polynomial Selection Methods

The size of the norms for a fixed size of \(Q=p^6\) and a fixed bound on the coefficients of the polynomials A in the set \(\mathcal {S}\) provides a first rough comparison of the polynomial selection methods. To refine the comparison, we start again from the same \(\mathcal {S}\) and same estimation of the norms, given \(p^6\) and polynomials \(f_0, f_1\). Then we set a smoothness bound \(B=S^{1/2}\) and approximate the probability of an integer of the same size as the norm to be B-smooth with the Dickman-\(\rho \) function [40]. We obtain an estimate of the total number of relations that we could get. Then we vary B to obtain at least \(\#(\mathcal {F}_0 \cup \mathcal {F}_1)\) relations. We check it with the inequality, where \({\text {Li}}(x)=\int _2^x\frac{dt}{\log t}\) is the offset logarithmic integral:

$$\begin{aligned} 2{\text {Li}}(B) \le S\cdot \Pr (N_{K_0/{\mathbb {Q}}}\,\ \text {is}\,\, B\text {-smooth})\cdot \Pr (N_{K_1/{\mathbb {Q}}}\,\, \text {is}\,\, B\text {-smooth}) \end{aligned}$$

(2)

We vary S again and adjust B accordingly in a bootstrapping process, to balance the expected time between relation collection and linear algebra: \(S^{1/2} = \#(\mathcal {F}_0 \cup \mathcal {F}_1)\). Our estimates are summarized in Table 1. We considered each side separately to estimate the smoothness probability (instead of the product of the norms in the asymptotic formulas). Other things held constant, it is better to have balanced norms. We also estimated the average best expected \(\alpha (f_0)\) and \(\alpha (f_1)\). The \(\alpha \) value is lower (i.e. better) for dimension three sieve.

We assumed that a Galois automorphism of order six was available with the \(\text {JLSV}_{\text {1}}\) method, of order two with Sarkar–Singh (8, 6), but none with GJL. A Galois automorphism of order k provides a k-fold speedup for the relation collection. Unfortunately in our implementation, the linear algebra benefits at most from a two-fold speedup (for even k only).

For each size of finite field (240 bits to 422 bits), the \(\text {JLSV}_{\text {1}}\) method produces the smallest norms, which are balanced, and has a Galois speed-up of order six. For all these reasons it seemed the most promising method.

Table 1. Relation collection space and smoothness bound estimates, and approximation of the relation collection and linear algebra time.

4.3 Optimizing \(\text {JLSV}_{\text {1}}\) Pairs of Polynomials

The next step is to run the \(\text {JLSV}_{\text {1}}\) polynomial selection method for the given prime p, and to select polynomials that have good smoothness properties. For that we used the dimension three \(\alpha \) and Murphy’s E functions as defined in [18].

The \(\text {JLSV}_{\text {1}}\) method outputs two polynomials of degree n and coefficients of size \(p^{1/2}\). We used the cyclic degree 6 family \(C_s\) introduced in Sect. 3, allowing a six-fold speed-up in the relation collection³. We can enumerate all the parameters s such that \(\sqrt{p}/2< |s| <\sqrt{p}\), \(C_s(x)\) is irreducible, and has a good \(\alpha \) value, that is \(\alpha (C_s)\le -2.0\) in our case. We pre-selected about 4000 such polynomials \(C_s\) as good \(f_0\) candidates. Given a \(f_0 = C_{s_0}\) for a certain \(s_0\), the second polynomial \(f_1\) is built as follows: One computes a rational reconstruction of the parameter \(s_0\) modulo p: \(s_0 = u/v \mod p\), where \(|u|,|v| \sim p^{1/2}\) and \(|v| \ne 1\). Then one sets \(f_1 = vC_{u/v}\). To improve \(\alpha (f_1)\) without increasing the size of the largest coefficient of \(f_1\) denoted by \(\Vert f_1\Vert _\infty = \max _{0 \le i\le \deg f_1} |f_{1,i}|\), we can enumerate the linear combinations \(f_1 + \lambda f_0\), where \( 0<|\lambda | < \Vert f_1\Vert _\infty / \Vert f_0\Vert _\infty \) (by construction, we will have \(\Vert f_1\Vert _\infty > \Vert f_0\Vert _\infty \) and we can choose to have \(\Vert f_1\Vert _\infty / \Vert f_0\Vert _\infty \) of about \(2^{10}\)). The improved polynomial \(f_1 + \lambda f_0\) is still in the family \(C_s\) since it is linear in s. There is a large room for improving \(\alpha \) in the \(\text {JLSV}_{\text {1}}\) method, without increasing the size of the coefficients (neither the size of the norms), which is another reason why we have chosen it for our record computations.

5 Computations

We ran complete computations in \({\mathbb F}_{{p}^{6}}\) for different problem sizes. Three of them were already done, at least partially, in previous work: for these, we provide an experimental improvement. For the largest problem size, the experimental data we provide is new. Timings of all these different works are summarized in Table 4, see also [23]. We used computer clusters of various research institutes and universities to run our experiments. Computations for bitsizes 240, 300 and 389 all used Intel Xeon E5520 CPUs, with clock speed 2.27 GHz, while for the 422-bit record, we used also a set of clusters from the grid5000 platform. We give in Table 2 the primes and labels we will use to refer to them, for each bitsize. The p6bd40 problem was covered in [49]. Relation collection was dramatically improved by [18], and that paper also completed relation collection for the p6bd50 and p6bd65 problems. For this reason, we refer to [18] for experimental data about relation collection for these three problems, as we merely based our work on the data set produced by [18]. We contributed new linear algebra computations and new individual logarithm computations for problems p6bd40, p6bd50 and p6bd65, providing key improvements over the previous state of the art. We also report an entirely new computation for the larger challenge p6dd22.

Table 2. Primes, bitsizes and labels

Table 3 gives polynomial selection parameters, and relation collection parameters and results, for all experiments. The sieving region bounds are denoted by \(H=(a_0,a_1,a_2)\), the precomputed factor basis bounds involved in the sieve by lims = lim0,lim1 (a.k.a. fbb0,fbb1) and the large prime bounds, i.e. the smoothness bounds by lpbs = lpb0,lpb1. In the sieving process, the prime ideals in \(K_0\), resp. \(K_1\), of norm at most lim0 bits, resp. lim1 bits involved in a pseudo-norm are sieved. After the sieving process, if the remaining non-factorized part of a pseudo-norm is less than threshold bits, a cofactorization process with ECM tries to factor it further. This entails finding the prime ideals of norm between lims and lpbs. Details about the computation of the p6dd22 are given in Sect. 5.3.

Table 3. Properties of the polynomials, parameters and statistics of the relation collection with dimension two and dimension three sieving, see also [23].

5.1 Individual Logarithms

Initial Splitting Step. Since \({\mathbb F}_{p^6}\) has three proper subfields \({\mathbb F}_p\), \({\mathbb F}_{p^2}\) and \({\mathbb F}_{p^3}\), we can apply the fast initial splitting technique of [25]. The target \(T = a_0 + a_1x + a_2x^2+a_3x^3+a_4x^4+a_5x^5 \in {\mathbb F}_{p^6}\) is expressed as

$$\begin{aligned} T = w_0(u_0+U)(v_0+v_1V+V^2)(b_0+b_1x+b_2x^2), \end{aligned}$$

(3)

where \(\langle 1, U\rangle \) is a polynomial basis of \({\mathbb F}_{p^2}\), \(\langle 1, V, V^2\rangle \) is a polynomial basis of \({\mathbb F}_{p^3}\), \(w_i, u_i, v_i \in {\mathbb F}_p\) and \(|b_i| \approx p^{2/3}\), so that the resultant of \(f_0\) and \(b_0+b_1x+b_2x^2\) (where the \(b_i\)’s are lifted in \({\mathbb Z}\)) is bounded by \(O(p^5)\) (assuming \(\Vert f_0\Vert _\infty = p^{1/2}\) since we are in the \(\text {JLSV}_{\text {1}}\) case). We observed that a representation as in (3) was found for 2 / 3 of the \(g^iT_0\). If it is not, we skip that i and proceed to the next one. In the \(\text {JLSV}_{\text {1}}\) case for \({\mathbb F}_{p^6}\), asymptotically the optimal \(B_{{{\mathrm{init}}}}\) is \(L_{p^6}[2/3, 0.614]\) and the number of trials to find a smooth resultant is \(L_{p^6}[1/3, 1.357]\) [25].

The Descent. The descent was not manageable with the classical dimension two sieving, so we opted for dimension three sieving. This was due to the large size of the norms involved in the descent. The \(\text {JLSV}_{\text {1}}\) method does not have a preferred side for the descent: both polynomials have coefficients of size \(p^{1/2}\).

Given a special-\(\mathfrak q\) of norm \(\pm q\), the set of degree-2 polynomials A such that \(A(\alpha _0)\) (resp. \(A(\alpha _1)\)) involves \(\mathfrak q\) in its ideal factorization is a dimension three lattice \(\varLambda _\mathfrak q\) of volume q. Let \(\mathbf {v}_0, \mathbf {v}_1, \mathbf {v}_2\) be a reduced basis, obtained for example by the LLL algorithm. The coefficients of the vectors are typically close to \(q^{1/3}\). We enumerate linear combinations \(\lambda _0\mathbf {v}_0+\lambda _1\mathbf {v}_1+\lambda _2 \mathbf {v}_2\), which form the polynomials \(A(x) = \sum _{j=0}^2\sum _{i=0}^2 \lambda _i\mathbf {v}_{i}[j]x^j\), by the same (sieving) procedure as the one of the relation collection. Given a search space volume S, we bound the \(\lambda _i\)’s by \(S^{1/3}\) ⁴, so that the resultant of A and \(f_0\) or \(f_1\) is bounded by \(O(S^2q^2p)\) [8]. When A is of degree 1, then \(\varLambda _\mathfrak q\) becomes a two-dimensional lattice: the reduction of the lattice outputs two short vectors whose coefficients are typically close to \(q^{1/2}\), and the resultants are bounded by \(O(S^3q^3p^{1/2})\). The crossover point between dimension three and two sieving is roughly at \(Sq = p^{1/2}\): when \(Sq > p^{1/2}\), one should prefer dimension three, while for \(Sq < p^{1/2}\) dimension two is better.

5.2 p6bd65

The polynomials are

$$\begin{aligned} f_0&= x^6 - {\scriptstyle 218117072} x^5 - {\scriptstyle 545292695} x^4 - {\scriptstyle 20} x^3 + {\scriptstyle 545292680} x^2 + {\scriptstyle 218117078} x + {\scriptstyle 1},\\ \text {and } f_1&= {\scriptstyle 288064804440} x^6 + {\scriptstyle 1381090484642} x^5 - {\scriptstyle 868245854995} x^4 - {\scriptstyle 5761296088800} x^3 \\ {}&\quad -\, {\scriptstyle 3452726211605} x^2 + {\scriptstyle 347298341998} x + {\scriptstyle 288064804440}. \end{aligned}$$

The relation collection was done in [18]. We only report the linear algebra and individual logarithm timings.

Linear Algebra. We used the Block Wiedemann implementation in CADO-NFS, with parameters \(n=10\) and \(m=20\). The cumulated numbers of core years for the various steps of the algorithm are 80 days for the Krylov sequences, 6 days for the linear generator computation, and 14 days for the final computation of the solution, which yielded the values of 19,805,202 logarithms of the factor bases.

Individual Logarithm. Take \(g = x+3 \in {\mathbb F}_{p^6}={\mathbb F}_{p}[x]/(f_0(x))\). From \({{\mathrm{N}}}_0(g) = 11\cdot 23\cdot 37\cdot 1398037\), we get \({{\mathrm{vlog}}}(g) = {\scriptstyle 907665820983150820551985406251606874974}.\) The target is

Descending all of these took approximately 19 h. We get

$${{\mathrm{vlog}}}(z) = {\scriptstyle 594727449023976898713456336273989724540}.$$

5.3 p6dd22

The polynomials are

$$\begin{aligned} f_0&= x^6 - {\scriptstyle 18375893742} x^5 - {\scriptstyle 45939734370} x^4 - {\scriptstyle 20} x^3 \\ {}&\quad +\, {\scriptstyle 45939734355} x^2 + {\scriptstyle 18375893748} x + {\scriptstyle 1},\\ \text {and } f_1&= {\scriptstyle 147003909360} x^6 - {\scriptstyle 738054758102} x^5 - {\scriptstyle 4050195535655} x^4 - {\scriptstyle 2940078187200} x^3 \\ {}&\quad +\, {\scriptstyle 1845136895255} x^2 + {\scriptstyle 1620078214262} x + {\scriptstyle 147003909360}. \end{aligned}$$

Relation Collection. For this computation, we selected the sieving region to be \(2^{10}\times 2^{10}\times 2^{8}\) for each special-\(\mathfrak {q}\). Both smoothness bounds were \(2^{29}\) and sieving bounds were \(2^{21}\). We sieved the \(2^{23.6}\) smallest special-\(\mathfrak q\)s on the \(f_0\)-side with norm larger than \(2^{21}\). More precisely, thanks to the order 6 Galois action, we only had to consider \(2^{21.1}\) special-\(\mathfrak q\) orbits.

We designed the polynomials with balanced coefficient sizes but unbalanced \(\alpha \): we were lucky and got \(\alpha (f_1)=-14.4\), but \(\alpha (f_0)=-2.2\) only. With the special-\(\mathfrak q\) on side 0, the norm ranged from 142 to 191 bits, once the contribution of the special-\(\mathfrak q\) was removed. On side 1, the norm ranged from 175 to 245 bits. Taking into account the offset \(\alpha /\log 2\) (3.2 and 20.8 bits), the yield was better with this choice of special-\(\mathfrak q\) than if we had put in on side 1, at least for the small special-\(\mathfrak q\)s. It was a closer call for larger special-\(\mathfrak q\)s. We increased the cofactorization threshold on side 1 from 110 to 115 then 121, allowing more room of the cofactorization process after the sieving. We found \(\approx \)72 M unique relations, after removing the 28.8% duplicates, in about 8400 core-days.

Linear Algebra. We used a combination of Intel Xeon E5-2630v3, E5-2650, E7-4850 v3 CPUs, connected with Infiniband FDR fabric. The block Wiedemann algorithm was used with parameters \(m=30\) and \(n=10\). The cumulated running times for the various steps of the algorithm were 2.67 core years for the computation of the Krylov sequences, 0.1 core years for the computation of the linear generator, and 0.3 core years for the computation of the solution vector.

Individual Discrete Logarithm Computation. Define \({\mathbb F}_{p^2} = {\mathbb F}_p[i]/(i^2+2)\). The curve \(E/{\mathbb F}_{p^2}: y^2 = x^3 + b,~ b=i+2\) is supersingular of trace p, hence of order \(p^2-p+1\). Define \({\mathbb F}_{p^6} = {\mathbb F}_{p^2}[j]/(j^3-b)\). The embedding field of the curve E is \({\mathbb F}_{p^6}\). We take \(G_0 = ({\scriptstyle 6}, {\scriptstyle 875904596857578874580} + {\scriptstyle 221098138973401953062} i)\) as a generator of \(E({\mathbb F}_{p^2})\), and \(G_1 = [651]G_0\) is a generator of \(E({\mathbb F}_{p^2})[\ell ]\). The distortion map \(\phi : (x,y) \mapsto (x^p/(j b^{(p-2)/3}), y^p/(b^{(p-1)/2}))\) gives a generator \(G_2=\phi (G_1)\) of the second dimension of the \(\ell \)-torsion. We take the point \(P_0 = ({\scriptstyle 314159265358979323847} + {\scriptstyle 264338327950288419716} i, {\scriptstyle 935658401868915145130} + {\scriptstyle 643077111364229171931} i) \in E({\mathbb F}_{p^2})\) from the decimals of \(\pi \), and \(P=651P_0\in E({\mathbb F}_{p^2})[\ell ]\) is our challenge. We aim to compute the discrete logarithm of P to base \(G_1\). To do so, we transfer \(G_1\) and P to \({\mathbb F}_{p^6}\), and obtain \(g={{\mathrm{e_{\text {Tate}}}}}(G_1, \phi (G_1))\) and \(t={{\mathrm{e_{\text {Tate}}}}}(P_1, \phi (G_1))\), or

$$\begin{aligned} t&= {\scriptstyle 265997258109245157592} + {\scriptstyle 397390775772974644009} x + {\scriptstyle 8418434607347781848} x^2 \\ {}&\quad +\, {\scriptstyle 1319940880937683823103} x^3 + {\scriptstyle 1160913500049277376294} x^4 + {\scriptstyle 775101705346231535180} x^5, \\ g&= {\scriptstyle 1189876249224772794459} + {\scriptstyle 375273593285154553828} x + {\scriptstyle 426102368940555566443} x^2 \\ {}&\quad + \,{\scriptstyle 192100975135320642877} x^3 + {\scriptstyle 871172323955942457570} x^4 + {\scriptstyle 95550149550418478996} x^5. \end{aligned}$$

The initial splitting gave a 41-bit smooth generator \(g^{545513} = uvw (-{\scriptstyle 141849807327922}-{\scriptstyle 5453622801413} x + {\scriptstyle 54146406319659} x^2)\) where \(u\in {\mathbb F}_{p^2}, v\in {\mathbb F}_{p^3}, w\in {\mathbb F}_p\) so that their logarithm modulo \(\ell \) is zero. The norm of the latter term is: \({\scriptstyle 3^3} \cdot {\scriptstyle 7^2} \cdot {\scriptstyle 11^2} \cdot {\scriptstyle 17} \cdot {\scriptstyle 317} \cdot {\scriptstyle 35812537} \cdot {\scriptstyle 16941885101} \cdot {\scriptstyle 17450874689} \cdot {\scriptstyle 22088674079} \cdot {\scriptstyle 35134635829} \cdot {\scriptstyle 85053580259} \cdot {\scriptstyle 144278841431} \cdot {\scriptstyle 1128022180423} \cdot {\scriptstyle 2178186439939}\). We had 8 special-\(\mathfrak q\) to descend. The smallest special-\(\mathfrak q\) had 34-bit norm \(q_{34} = 16941885101\). We used the same sieving implementation to find a relation involving this ideal, and smaller ones. We set the search space to \(2^{31}\) and the smoothness bound to 29 bits. We were able to find in 836 s on a Core i5-6500 @ 3.2 GHz three relations involving \(q_{34}\) on the side 0, and other prime ideals of norm strictly smaller than \(2^{29}\).

We also got a 45-bit smooth challenge of norm \( {\scriptstyle 821} \cdot {\scriptstyle 3877} \cdot {\scriptstyle 6788447} \cdot {\scriptstyle 75032879} \cdot {\scriptstyle 292064093} \cdot {\scriptstyle 257269999897} \cdot {\scriptstyle 456432316517} \cdot {\scriptstyle 1029313376969} \cdot {\scriptstyle 3142696252889} \cdot {\scriptstyle 4321280585357} \cdot {\scriptstyle 18415984442663}\):

$$g^{58779}t = u v w ( -{\scriptstyle 137392843659670} -{\scriptstyle 34918302724509} x +{\scriptstyle 13401171220212} x^2)$$

We obtained \({{\mathrm{vlog}}}(g)={\scriptstyle 1463611156020281390840341035255174419992}\) and \({{\mathrm{vlog}}}(t)={\scriptstyle 1800430200805697040532521612524029526611}\), so that \(\log _g(t) = {{\mathrm{vlog}}}(t)/{{\mathrm{vlog}}}(g) \mod \ell = {\scriptstyle 752078480268965770632869735397989464592}\).

Table 4. Comparison with other record computations in core-days, and total in core-years, including also the polynomial selection and individual logarithm computation if known. For references, see https://gitlab.inria.fr/dldb/discretelogdb.

6 Cryptographic Implications

We demonstrated the practicality of sieving in higher dimension for computing discrete logarithms in finite fields of medium characteristic, with a record-breaking computation in a 422-bit field \({\mathbb F}_{p^6}\). Moreover our parameter comparisons of Sect. 4 can be extrapolated to estimate the cost of computing discrete logarithms in larger fields \({\mathbb F}_{p^6}\), and also be generalized for \({\mathbb F}_{p^{12}}\). To reach the next pairing frontier, that is \({\mathbb F}_{{p}^{12}}\), it seems necessary to combine these ideas and extend them so as to make new variants practical. This work will be a useful additional step to a precise estimation of the cost of computing discrete logarithms in the embedding field \({\mathbb F}_{{p}^{12}}\) of Barreto-Naehrig (BN) curves, following Barbulescu and Duquesne [3] and Menezes et al. [38].